5 Managing Users and Mobile Roles

This chapter documents mobile user and mobile role management topics. It is organized into the following sections:

• About the Mobile Users Page and Mobile Roles Page in the Mobile Security Manager Console

• About the Identity Store Directory Server

• Managing Mobile Users

• Managing Mobile Roles

5.1 About the Mobile Users Page and Mobile Roles Page in the Mobile Security Manager Console

Users and roles are managed using your existing directory server. Users are assigned to one or more roles/groups on the directory server; user and role definitions are then referenced by Oracle Mobile Security Suite. System Administrators use roles to associate policies with users, and to perform bulk actions on groups of users based on their role.

Use the Mobile Users page to:

• View basic user information from the connected Identity Store

• Invite a user to register a device/workspace

Use the Mobile Roles page to:

• View role information from the connected Identity Store

• Add Mobile Security Policies to a role (or remove policies from a role)

• Invite users by role assignment to register a device/Workspace in Oracle Mobile Security Suite

• Lock, unlock, and wipe devices and workspaces by role assignment

Note:

To learn how to open the Mobile Users page and Mobile Roles page, see Section 2.2.2, "Opening the Mobile Security Manager Console Pages" and choose Mobile Users or Mobile Roles from the page menu.

5.2 About the Identity Store Directory Server

Oracle Mobile Security Suite requires a constant connection to a directory server to obtain identity information. The directory server is the authoritative source for user and role (group) information, and Mobile Security Manager synchronizes information with the directory server on a scheduled basis. Users and roles cannot be directly added to, or removed from, Mobile Security Manager. Instead perform these tasks using the management console for your directory server.

Supported directory servers include Oracle Unified Directory (OUD), Oracle Internet Directory (OID), Oracle Directory Server Enterprise Edition (ODSEE), and Active Directory. To configure the identity store connection, create an Identity Directory Service Profile in the Oracle Access Management console. Then, in Mobile Security Manager, set the IDS Profile Name on the Identity Store Settings tab.

See the logical diagrams in Section 1.5, "Understanding the Oracle Mobile Security Suite Process Flows" for a visual representation of how the identity store directory server interacts with the other Oracle Mobile Security Suite components.

5.3 Managing Mobile Users

This section includes the following topics:

• How to Search for a User in Oracle Mobile Security Suite

• Making Users Eligible to Register a Device

• Managing Passwords

• Disabling User Accounts

5.3.1 How to Search for a User in Oracle Mobile Security Suite

Follow these steps to find a user record in Oracle Mobile Security Suite.

1. Open the Users page in the Mobile Security Manager console. To learn how, see Section 2.2.2, "Opening the Mobile Security Manager Console Pages."

2. Search for the user by user name, display name, or e-mail address.

   Users that meet the search criteria are listed in the Search Results section of the page.

3. Use the Sort menu to sort search results. The following options are provided:

   • Name - Sort search results alphabetically by user name.

   • Display Name - Sort search results alphabetically by display name.

   • E-mail - Sort search results alphabetically by e-mail address.

4. Click the user record to open and close additional user details.

5.3.2 Making Users Eligible to Register a Device

Users are eligible to register a device if there is an Invite button next to their user record on the Mobile Users page. To be eligible, the user must be assigned to a role that has an attached mobile policy. Use your directory server management console to assign the user to a role. (To learn how to assign a mobile policy to a role, see Section 5.4.2, "How to Assign a Mobile Policy to a Role.") You cannot use the Oracle Access Management console to add a user to Oracle Mobile Security Suite, nor can you use the console to assign a user to a role.

Note:

The Invite button is disabled if the user's LDAP record does not include an e-mail address, or if the user account is disabled.

5.3.3 Managing Passwords

Single sign-on (SSO) functionality is provided by Oracle Access Manager. Administrators and users use their SSO credentials to log into the Oracle Mobile Security Suite consoles. To manage SSO passwords, users should use Oracle Identity Manager or a similar system.

Device passwords and Workspace PINs are managed from Mobile Security Manager.

• You can either clear or reset a device passcode if the user forgets it. See Section 4.2, "Managing Devices and Workspaces" for details.

• PIN and Password policy settings, such as password complexity requirements, password expiry settings, and so on are configured using policies. Device password requirements are configured on the Device tab, and Secure Workspace password requirements are configured on the Workspace tab. See "How to Create or Edit a Mobile Security Policy" for more information.

Note:

To learn how to add a "Forgot Password" link to the login screen on mobile devices, see Section 10.1.6, "Customize Password Management" (for iOS), or Section 10.2.9, "Customize Password Management" (for Android).

5.3.4 Disabling User Accounts

You cannot delete a user account from Oracle Mobile Security Suite using the Mobile Security Manager console. The only way to delete a user from Oracle Mobile Security Suite is to delete the user from your directory server.

You can disable a user's device or Secure Workspace in Mobile Security Manager as follows:

• In Mobile Security Manager, either de-register the user's device(s) or lock the Secure Workspace(s). If a device is a managed device, wiping the device is an irreversible measure that should only be taken if it is necessary to erase all of the device's stored settings, data, and applications. If a device is an unmanaged device, only the Secure Workspace (and the user data that it contains) is irreversibly deleted. For details, see Section 4.2, "Managing Devices and Workspaces."

• On your directory server, remove the user from all roles that have a mobile security policy assigned in Oracle Mobile Security Suite.

5.4 Managing Mobile Roles

This section includes the following topics:

• How to Search for a Role in Mobile Security Manager

• How to Assign a Mobile Policy to a Role

The following role-related topics are covered in other chapters:

• Section 3.2.4, How to Invite a Group of Users by Role Assignment

• Section 4.2.2, How to Lock, Unlock, and Wipe Devices/Workspaces by Role Assignment

5.4.1 How to Search for a Role in Mobile Security Manager

Follow these steps to find a role record in Mobile Security Manager.

1. Open the Mobile Roles page in the Mobile Security Manager console. To learn how, see Section 2.2.2, "Opening the Mobile Security Manager Console Pages."

2. Search for the role by name or description.

   Roles that meet the search criteria are listed in the Search Results section of the page.

3. Use the Sort menu to sort search results alphabetically by role name or description.

4. Click the role record to open and close additional role details.

5.4.2 How to Assign a Mobile Policy to a Role

Follow these steps to add a mobile policy to a role or to remove a policy from a role.

1. Open the Mobile Roles page in the Mobile Security Manager console. To learn how, see Section 2.2.2, "Opening the Mobile Security Manager Console Pages."

2. Search for the role that you want to modify. To learn how, see Section 5.4.1, "How to Search for a Role in Mobile Security Manager."

3. Expand the role record by clicking it.

4. To assign a policy to a role:

   1. In the Policy section, click Add.

      A new policy row is added to the table.

   2. Type the name of the policy in the Policy Name field, then click Apply.

      or

      Click the to open the policy-picker dialog. Search by role name, policy name, or policy description. Role name search is case sensitive. If you are searching by role name, enter the whole name using the exact sequence of upper and lowercase characters. In the search results, for each policy (or policies) that you are assigning to the role, select the Add checkbox, then click the Add button to move your selections to the policy table and close the dialog. Click Apply to update the role.

      A dialog box confirms the operation if successful.

   To remove a policy from a role:

   1. Click to highlight the policy to be removed.

   2. Click Remove.